Jsch public key problems


Jsch has a problem handling public key authentication with encrypted (password protected) keys. To get around it, the ~/.ssh/config can't contain an IdentityFile in any section that Jsch decides to read. To see a full description of the problem, stack traces and a couple of workarounds, see this gist: https://gist.github.com/niclasnilsson/038f20bee1bd19e970d59ba35732e262.

Note: the problem is not specific to tools.deps, but was discovered using it, so Alex Miller asked for an issue to be added in order to keep track of the problem.




Alex Miller
April 22, 2021, 6:19 PM

In latest Clojure CLI, we are shelling out to git and I believe this is no longer an issue (as jsch is no longer used). Reopen if still seeing with latest.

Matt Anderson
November 27, 2018, 9:48 PM

I ran into this issue as well and found the underlying cause before I found this workaround, so I thought I'd submit a patch. As alluded to in the gist, JSCH does not know about jsch-agent-proxy and so it attempts to resolve keys as it would normally. In normal execution it expects a `UserInfo` implementation when it encounters an encrypted (password protected) private key. The code throws an Exception right off the bat if the `UserInfo` implementation doesn't exist and doesn't give the jsch-agent-proxy a chance to pull the keys from the ssh-agent. Below snippet from `com.jcraft.jsch.UserAuthPublicKey#start` lines 118-130:

if((identity.isEncrypted() && passphrase==null)){
if(userinfo==null) throw new JSchException("USERAUTH fail");
if(identity.isEncrypted() &&
!userinfo.promptPassphrase("Passphrase for "+identity.getName())){
throw new JSchAuthCancelException("publickey");
//throw new JSchException("USERAUTH cancel");
String _passphrase=userinfo.getPassphrase();

The fix is to set a placeholder `UserInfo` implementation on the `Session` so that the above Exception isn't thrown and the ssh-agent can handle returning the keys to JSCH. With the patch, there is no need to perform the workaround of removing the `IdentityFile` property from your `~/.ssh/config` file.

The patch is attached (today: 2018-11-27) and is called `tdeps-49-fix.patch`. Let me know if you have questions.

Alex Miller
March 6, 2018, 2:07 PM

Thanks for tracking all that down and writing it up...



Alex Miller